Privacy Policy
Effective Date: April 20, 2026 Last Updated: April 20, 2026
Red Sovereign LLC, doing business as Aumata (“Aumata,” “we,” “us,” or “our”), operates the website at www.aumata.ai (the “Site”) and provides managed marketing services (the “Services”). This Privacy Policy explains what personal information we collect, how we use and share it, and what choices you have.
This Privacy Policy applies to the Site and, unless a separate customer agreement applies, to the Services. Customers receive additional protections under our Data Processing Addendum.
If you are a California resident, this policy also serves as our Notice at Collection under the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA/CPRA”). See Section 8.
By using the Site, you acknowledge this Privacy Policy.
1. Categories of personal information we collect
We collect the following categories of personal information (using the CCPA/CPRA category names for clarity):
| Category | Examples we collect | Collected from |
|---|---|---|
| Identifiers | Name, work email, company, role, phone (optional), IP address, device identifiers | You, automatically from your browser, RB2B (US visitors only) |
| Customer records | Business billing and contact information for paying customers | You |
| Commercial information | Services purchased, billing history, inquiries about plans | You, payment processor |
| Internet or network activity | Pages visited, clicks, session timing, referring URL, UTM parameters, browser/device metadata | Google Analytics, Microsoft Clarity, Ahrefs Analytics |
| Geolocation (coarse) | City/region inferred from IP | Cloudflare, analytics providers |
| Inferences | Interest in specific Services based on pages viewed and form intent | Us |
| Professional information | Role, company size, industry (when you tell us) | You, public sources (LinkedIn, company website) when preparing a Strategy Audit |
We do not knowingly collect sensitive personal information (as defined by CPRA), special categories of data under GDPR, or information about children under 13.
2. How we collect it
- Directly from you: when you fill out the contact form, request a free Strategy Audit, buy a plan, or email us.
- Automatically: through cookies and similar technologies when you use the Site (see our Cookie Policy).
- From third parties: analytics providers; RB2B (US visitors only — see Section 4); publicly available business sources when tailoring a Strategy Audit.
3. Why we use it (purposes and legal bases)
| Purpose | Categories used | GDPR legal basis |
|---|---|---|
| Responding to inquiries, delivering Strategy Audits | Identifiers, professional information | Performance of a contract / pre-contract steps at your request |
| Delivering paid Services | All categories above | Performance of a contract |
| Site analytics and improvement | Internet activity, coarse geolocation | Consent (EU/UK); legitimate interest (US) |
| Identifying inbound B2B interest (RB2B, US only) | Identifiers, IP address | Legitimate interest; opt-out available (US Privacy Choices) |
| Marketing emails to existing contacts | Identifiers, commercial information | Consent or legitimate interest; unsubscribe always available |
| Fraud, abuse, and security | Identifiers, internet activity | Legitimate interest; legal obligation |
| Legal compliance | All categories as needed | Legal obligation |
4. How we share it
We do not sell personal information for money. Our practices under the CCPA/CPRA definitions of “sell” and “share” are as follows.
4.1 Service providers and sub-processors
We share personal information with the service providers listed on our Sub-processors page. Each is contractually obligated to process data only on our instructions and to keep it secure.
4.2 “Sharing” for cross-context behavioral purposes
For US visitors only, we use RB2B to identify the companies of anonymous business visitors to our Site. This may qualify as “sharing” under the CCPA/CPRA. EU/UK/Swiss visitors are excluded at RB2B’s network edge. You may opt out at any time through our Your Privacy Choices page. We honor the Global Privacy Control (GPC) signal automatically for visitors from states whose laws recognize it.
4.3 Analytics
Our analytics providers (Google Analytics, Microsoft Clarity, Ahrefs Analytics) receive your IP address, pages visited, and interaction data. These are loaded only after consent in the EU/UK and only when not overridden by GPC in applicable US states.
4.4 With your authorization
When you engage our Services, you may authorize us to access third-party platforms (e.g., Google Ads, LinkedIn, Meta, Google Business Profile) on your behalf. We use these only to deliver the Services you have engaged.
4.5 Legal and business transfers
We may disclose information to comply with law, enforce our terms, protect our rights or the safety of others, or as part of a merger, acquisition, or asset sale. In the case of a corporate transaction, you will be notified where required.
5. International data transfers
Aumata is headquartered in the United States. When personal information is transferred from the EEA, UK, or Switzerland to the United States or other countries, we rely on:
- The EU-US Data Privacy Framework, UK Extension, and Swiss-US Data Privacy Framework (where Aumata or the receiving sub-processor is certified).
- Standard Contractual Clauses (Module Two or Three, as applicable) as a backup and for providers not certified under the DPF.
- The UK International Data Transfer Addendum for transfers subject to UK GDPR.
See our DPA for details, or contact privacy@aumata.com for a copy of the SCCs we use.
6. How long we keep it
| Data | Retention |
|---|---|
| Active customer data | For the duration of the engagement, then deleted within 30 days of termination unless law requires longer retention |
| Strategy Audit leads | 2 years from submission, unless you request earlier deletion |
| Contact form submissions | 3 years, then deleted |
| Google Analytics | 14 months |
| Microsoft Clarity | 1 year |
| RB2B company signals | 90 days in our CRM |
| Billing records | 7 years (US tax) |
| Consent and privacy-choice logs | 2 years after the last update |
7. Your rights
Depending on where you live, you have some or all of the rights below. We respond within 45 days (CCPA/CPRA; extendable once by 45 days) or 1 month (GDPR; extendable by 2 months for complex requests).
- Know / access: request a copy of the personal information we hold about you, including categories, sources, purposes, and recipients.
- Correct: ask us to fix inaccurate information.
- Delete: ask us to delete your personal information, subject to legal exceptions.
- Portability: ask for your data in a machine-readable format.
- Opt out of “sale” or “sharing”: use the Your Privacy Choices link in our footer, or send the Global Privacy Control signal from your browser. We honor GPC for visitors from California, Colorado, Connecticut, Texas, Montana, Oregon, Delaware, New Hampshire, New Jersey, Nebraska, Maryland, and Minnesota. When we honor a GPC signal, we display a “GPC detected — opt-out honored” confirmation on the Your Privacy Choices page.
- Limit use of sensitive PI (CPRA): we do not collect sensitive PI for purposes that would trigger this right, but you may still contact us.
- Withdraw consent (GDPR): where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
- Lodge a complaint: with your local supervisory authority (EU) or the California Privacy Protection Agency.
To exercise a right, email privacy@aumata.com or use the Your Privacy Choices page. We may ask for information to verify your identity; verification will be proportionate to the sensitivity of the request. An authorized agent may act on your behalf with written authorization.
We will not discriminate against you for exercising a privacy right.
8. California Notice at Collection (CCPA/CPRA)
- Categories of personal information collected: as listed in Section 1.
- Purposes: as listed in Section 3.
- Categories sold: none.
- Categories shared for cross-context behavioral advertising: identifiers (company name derived from IP) via RB2B, for US visitors only. You may opt out.
- Retention: as listed in Section 6.
- Sensitive PI: we do not use or disclose sensitive PI for purposes beyond those permitted under CPRA § 7027.
Opt out, delete, correct, know: Your Privacy Choices or privacy@aumata.com.
9. Other US state rights
Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Delaware, New Hampshire, New Jersey, Tennessee, Minnesota, Maryland, Indiana, Kentucky, and Rhode Island have rights substantially similar to those in Section 7. Submit requests to privacy@aumata.com. You have the right to appeal a denial by replying to our response email.
10. Security
We use TLS for data in transit; encryption at rest via managed cloud providers; role-based access with least privilege; MFA on administrative accounts; vendor security reviews; and an incident response plan. No system is perfectly secure. If we learn of a breach affecting your personal information, we will notify you as required by applicable law.
11. Children
Our Site and Services are not directed to children. We do not knowingly collect personal information from children under 13 (or 16 where local law imposes a higher threshold). If you believe we have, email privacy@aumata.com and we will delete it.
12. AI processing
We use large language models to help produce marketing content and to run our agents. We do not use your personal information to train or fine-tune models. Full details are in our AI Disclosure.
13. Changes
We may update this Privacy Policy. When we make material changes we will update the “Last Updated” date and, where required, provide additional notice on the Site or by email to active customers.
14. Contact
Red Sovereign LLC d/b/a Aumata Privacy inquiries and data subject requests: privacy@aumata.com General contact: www.aumata.ai/contact
EU/UK visitors may also contact Aumata’s primary points of compliance above; Aumata does not appoint an Article 27 representative, as our processing of EU Personal Data is occasional and does not involve large-scale processing of special categories of data or regular monitoring of Data Subjects.